1841-1 is the firewall which inspects traffic from inside to outside, traffic inspected is matched with the class map.

An alternative to ASA

Supposed your customer has budget constraint, and wanted security but does not want to pay for an ASA until more budget is planned for the next work year. You can suggest to use router as firewall as a temporary solution until your customer is ready to purchase an ASA. Zone based inspect layer 3, 4 and 7 packets and determine whether it should pass (without inspection), drop or inspect (stateful packet inspection, i.e. unsolicited traffic which is not originated from the inside will be dropped otherwise let the traffic passes.)

Zone based firewall configuration is the default behaviour of all ASA and PIX products, in ASA/PIX using ASDM you can specify which is trusted and untrusted, after specified the interfaces will be defined as inside and outside based on your choice, once interfaces are defined; a default value will be configured by ASA i.e. inside interface as security level 100 and outside as security level 0, 100 being fully trusted, 0 being not trusted at all. Default behaviour will be traffic from inside to outside will be allowed and inspected, traffic solicited from inside to outside will be allowed to return from outside to inside, unsolicited traffic that is not originated from the inside interface will be dropped unless you specify an ACL or do policy to allow certain traffic to be allowed from outside to inside.

Stateful packet inspection

Modern firewalls, hardware or software, are using stateful packet inspection. Traffic action (drop or pass) is based on the packet type (L3, L4 and L7), for TCP it is able to easily determined by firewalls as there’s a window, after certain period of time of idle firewall will close the “door” of outside interface. UDP is hard, this connectionless protocol is sent and forget, firewall has no way to know if the return udp packet is a solicited one or unsolicited one, hence for udp there will be a timer for the “door” to be opened. ICMP is worst, it is neither a tcp nor udp, it is hard to determine if the icmp is malicious or just normal testing, in ASA there’s a special statement just for icmp echo test, default icmp is dropped.

Class map is used for MQC for classifying interesting traffic for QoS as well, for this type of class-map is exclusively for zone based firewall, this class map is a classification of traffic type which you want firewall to inspect.

Step 2: Configure policy map based on configured class map. Policy map is an action list based on traffic classified by class-map.